dynamic interfaces (DHCP) and full site to site

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

dynamic interfaces (DHCP) and full site to site

L1 Bithead

Hi 

I have Palo-220 that move every X- days from one office to another office 

the Palo have a Lan interfaces and wan interface

interface Wan (eth1/1) configured with DHCP and automatically add a default route checkbox 

 

also i have a full Site2Site tunnel that all (0.0.0.0/0) network need to go into the tunnel 

i have to static route in routeing table 1 for wan interface and one for tunnel

i try to config static route for Ipsec peer via eth1/1 without nexthop ip only nexthop interface 

and it's not work if i create a static route with nexthop ip all work but my default gateway change every  office that i move 

 

any ideas ? 

4 REPLIES 4

L2 Linker

Hello Igor,

 

If I understand correctly, you have two Palo Alto firewalls, each of which has WAN interfaces that obtain their IP addresses via DHCP. Is that correct?

 

Next, you require the ability to configure site-to-site VPN between these firewalls but do not want to have to make configuration changes each time the firewalls are moved, or if the DHCP-assigned IP address changes. Is that also correct?

 

If my understanding of both cases is correct, then you can accomplish this through two steps:

 

1. Dynamic DNS - you will need a DNS provider that supports Dynamic DNS registration - the site-to-site VPN connectivity can be configured such that the firewalls do not need to know the IP address of the remote gateway. Ensure that DDNS is enabled on the external/WAN interface:

 

Configure Dynamic DNS Registration for Firewall Interfaces

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-dynamic-dns-for-firew...

 

2. IPSec Site-to-Site VPN in Aggressive Mode via FQDN - when you go to configure the IKE Gateway objects define the remote gateway by FQDN as opposed to by IP address.

 

IKE Gateway General Tab (specifically the Local and Remote Identification settings)

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network-network-profi...

 

The documentation specific to IKE Gateway settings for PAN-OS 8.1 is labeled differently on the Documentation portal:

 

FQDN Support for IKE Gateway Peer IP Address

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/networking-features/fqdn-support-fo...

 

Please come back if you have any additional questions. Thanks again for reaching out!

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

 

If I understand correctly, you have two Palo Alto firewalls, each of which has WAN interfaces that obtain their IP addresses via DHCP. Is that correct? 

No, I have one PaloAlto - this Palo moves from office to home and from home to office every day

 

Next, you require the ability to configure site-to-site VPN between these firewalls but do not want to have to make configuration changes each time the firewalls are moved, or if the DHCP-assigned IP address changes. Is that also correct?

No, I have one PaloAlto in my office that connect to FW on DC via IPsec Tunnel but when I go home I take with me the firewall to connect from home,

 

In my office and in my home I have a DHCP from my ISP modem and I need to connected via IPsec full tunnel

 

Hi Igor,

 

Apologies but I do not understand what you mean:

 

"No, I have one PaloAlto in my office that connect to FW on DC via IPsec Tunnel but when I go home I take with me the firewall to connect from home"

 

Let me try to break this down:

 

1. You have a firewall in your data center - what kind of firewall is in the data center? Is it another Palo Alto firewall? Or something else? Is it safe to assume that the firewall in the data center has a static IP address?

2. You have a Palo Alto firewall in your office - you then take that firewall home with you and you want it to be able to connect to the same firewall at the data center?

 

This is what you need to do...

 

The Palo Alto firewall that you bring to your office and back home - that firewall must initiate the connection to the data center firewall.

 

If the firewall in the data center has a static IP address, you can define the "Peer" by IP address in the Palo Alto firewall you move between locations.

 

If the firewall in the data center has a dynamic IP address, you should configure that firewall to perform a Dynamic DNS registration. That way, you can configure the "Peer" by the fully qualified domain name instead of by IP address.

 

In either case, the VPN must be configured for "aggressive" mode instead of "main" mode. You can only use "main" mode if the peer IP addresses are static on both ends of the VPN tunnel.

 

I created some sample configurations - take a look at the screenshots attached to this message.

 

I could only submit 3 attachments on the last post. There is one additional attachment on this post.

 

I hope this is helpful!

  • 19277 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!